CCI-003108

The organization defines the state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes that the developer of the information system, system component, or information system service is required to include when demonstrating the use of a system development life cycle.

Implementation Guidance

The organization being inspected/assessed defines and documents within contracts/agreements, the requirement for the developer to provide information regarding the state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed defines the state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes that the developer of the information system, system component, or information system service needs to include when demonstrating the use of a system development life cycle.

Compelling Evidence

1.) System development life cycle (SDLC) includes organization-defined state-of-the-practice system/security engineering methods, software development methods , testing/evaluation/validation techniques, and quality control processes.

The controls below (if any) were marked by NIST as being related to CCI-003108.